Is it ok to upgrade to Apache 2.2.25 manually?

Because of http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1862, Trustvawe, my PCI compliance provider, is requiring to either disable “mod_rewrite” module (which I can not do, because one of the softwares in production on the server needs this module) or to upgrade Apache to 2.2.25. Virtualmin repositories (as well as, if I understand correctly, CentOS repositories) provide 2.2.15 only for now. I found this repository http://centos.alt.ru/repository/centos/6/x86_64 which provides Apache 2.2.25 and wonder is it ok to manually upgrade apache with yum on CLI or it can break the system?

Further research on the subject shows, as it is indicated on https://bugzilla.redhat.com/show_bug.cgi?id=953729,

This issue has been addressed in following products:

Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 5

Via RHSA-2013:0815 https://rhn.redhat.com/errata/RHSA-2013-0815.html

I couldn’t find if this was reflected on CentOS.

Howdy,

It’s no problem for you to upgrade manually, though you’d need to make sure that suexec is configured to use /home as it’s directory, rather than the default of /var/www.

-Eric

The issue here is the same as one described on http://www.virtualmin.com/node/30338, but I really don’t get how they managed to install 2.2.3-82.

The most recent Apache RPM available to CentOS should be in the Virtualmin software repository – upgrading to it should just be a matter of running “yum update” on the command line.

I verified just now that 2.2.3-82 is in fact in the repository.

-Eric

“yum update” didn’t do anything unfortunately:

root@my:/root#
httpd -ver
Server version: Apache/2.2.15 (Unix)
Server built: Aug 25 2013 11:34:24
root@my:/root#
yum update
Loaded plugins: fastestmirror, presto
Loading mirror speeds from cached hostfile

root@my:/etc/yum.repos.d# yum provides httpd Loaded plugins: fastestmirror, presto Loading mirror speeds from cached hostfile * base: centos.tcpdiag.net 1:httpd-2.2.15-9.sl6.vm.i386 : Apache HTTP Server Repo : virtualmin Matched from:

1:httpd-2.2.15-15.el6.vm.1.i686 : Apache HTTP Server
Repo : virtualmin
Matched from:

1:httpd-2.2.15-9.el6.2.vm.i686 : Apache HTTP Server
Repo : virtualmin
Matched from:

1:httpd-2.2.15-28.el6.vm.i686 : Apache HTTP Server
Repo : virtualmin
Matched from:

1:httpd-2.2.15-15.el6.vm.i386 : Apache HTTP Server
Repo : virtualmin
Matched from:

1:httpd-2.2.15-29.el6.vm.1.i686 : Apache HTTP Server
Repo : virtualmin
Matched from:

1:httpd-2.2.15-28.el6.vm.1.i686 : Apache HTTP Server
Repo : virtualmin
Matched from:

httpd-2.2.15-26.el6.centos.i686 : Apache HTTP Server
Repo : base
Matched from:

1:httpd-2.2.15-29.el6.vm.i686 : Apache HTTP Server
Repo : virtualmin
Matched from:

1:httpd-2.2.15-29.el6.vm.1.i686 : Apache HTTP Server
Repo : installed
Matched from:
Other : Provides-match: httpd

root@my:/etc/yum.repos.d# yum provides httpd-2.2.3-82 Loaded plugins: fastestmirror, presto Loading mirror speeds from cached hostfile * base: centos.tcpdiag.net Warning: 3.0.x versions of yum would erroneously match against filenames. You can use "*/httpd-2.2.3-82" and/or "*bin/httpd-2.2.3-82" to get that behaviour No Matches found root@my:/etc/yum.repos.d# yum provides */httpd-2.2.3-82 Loaded plugins: fastestmirror, presto Loading mirror speeds from cached hostfile * base: centos.tcpdiag.net base/filelists_db | 4.9 MB 00:00 virtualmin/filelists | 63 kB 00:00 virtualmin-universal/filelists | 1.1 MB 00:00 No Matches found

Ah, 2.2.3-82 is for CentOS 5. The most recent Apache package available for CentOS 6 (which you appear to have there) is httpd-2.2.15-29.

The httpd-2.2.15-29 package available in CentOS 6 is more recent than the version available to CentOS 5.

-Eric